Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Shane Bishop <shanebishop () JALC EDU>
Date: Mon, 19 Nov 2007 13:47:03 -0600

We also use the group policy setting: Network security: Do not store LAN
Manager hash value on next password change. This security setting determines
if, at the next password change, the LAN Manager (LM) hash value for the new
password is stored.



Shane Bishop
John A. Logan College
CISM, CISSP, GFSP
http://shanebishop.info
(618) 985-3741 Ext. 8544


-----Original Message-----
From: Julian J Thompson (jthmpsn2) [mailto:jthmpsn2 () MEMPHIS EDU]
Sent: Monday, November 19, 2007 1:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

..Slight correction - It's not that windows doesn't store a hash - it stores
the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is
equivalent to a null password. And since your password is obviously not
null, attempts to crack that hash will fail

-----Original Message-----
From: Julian J Thompson (jthmpsn2) [mailto:jthmpsn2 () MEMPHIS EDU]
Sent: Monday, November 19, 2007 1:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

Just FYI - We use various password/passphrase methods mentioned - but, we
require all admin accounts to be over 14 characters in length. Since windows
doesn't store the LM hash in anything over 14 characters it makes it hard to
crack :-)

Still open to keyloggers though, 2 factor is on the way :-)

--
(J)

-----Original Message-----
From: Randy Marchany [mailto:marchany () CANDI2 CIRT VT EDU]
Sent: Monday, November 19, 2007 12:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

We've been using a tool called "ophtcrack" to break into systems where the
user forgot their passwords. It uses Rainbow tables to guess passwords and
so
far on Windows boxes, we've successfully retrieved up to 12 character
passwords within 10 minutes. The passwords followed our guidelines. This
tool
does require physical access to the machine. Special characters can
significantly lengthen the guess time but basically, we need to find another
way to authenticate (2-way authentication AKA the ATM card/pin code model)
in
the long term.

        -Randy Marchany
        VA Tech IT Security Office and Lab

Attachment: smime.p7s
Description:

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases HALL, NATHANIEL D. (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Steve Worona (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)

(Thread continues...)